Building a SaaS Application on Azure AKS with Github Actions

A demo project to deploy an AKS cluster, ACR, build and deploy sample Nodejs Express web application for a multi-tenant environment. When you complete the steps below, you will have the following:

• AKS with
  • Public api server endpoint
  • Enable rbac
  • Enable load balancer "standard" for public services
  • Enable "azure" cni and network policy
  • Enable container insights
  • Enable Microsoft Defender for Containers.
  • Enable Open Service Mesh
  • Azure Key Vault Provider for Secrets Store CSI Driver
• Azure Key Vault
• ACR with the application container image built and pushed
• Kubernetes namespace for the tenant
• Namespace based resource quota for the tenant
• Network policy to isolate namespace from other tenant namespaces
• Application pulled from ACR and deployed to tenant namespace

Usage:

Prerequisites

• Azure subscription
• GitHub account
• Complete prerequisites for enabling Microsoft Defender for Containers
• Complete prerequisites for enabling KEDA

1- Clone Repository

git clone <URL of this repo>

2- Set GitHub Actions Secrets

a. Set Azure subscription id as GitHub Actions Secret

Set Azure subscription id as GitHub Actions Secret with the name SUBSCRIPTIONID You can get subscription id from portal or using the following command

az account subscription list -o table

b. Generate Azure deployment credentials and set as GitHub Actions Secret

Create a service principal with the az ad sp create-for-rbac command in the Azure CLI. More details

az ad sp create-for-rbac --name "<sp_name>" --role contributor --scopes /subscriptions/<subscription_id> --sdk-auth

Copy the json output similar to below and paste in GitHub Actions secret with the name AZURE_CREDENTIALS

 {
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    (...)
  }

3- Make customizations

Make customizations in workflows, ARM templates or app code if necessary.

4- Run GitHub Workflow "Deploy baseline"

Run this workflow once to provision AKS, ACR, and build/push the application container image. This workflow:

• Deploys AKS with
  • Kubernetes API server with public IP endpoint
  • Enable RBAC
  • Enable Load Balancer "Standard" for public services
  • Enable "azure" CNI and Network Policy
  • Enable Container Insights
  • Enable Microsoft Defender for Containers.
  • Enable Open Service Mesh
  • Enable Azure Key Vault Provider for Secrets Store CSI Driver
• Deploys ACR
• Deploys Azure Key Vault
• Builds and pushes the image to ACR

5- Run GitHub Action Workflow "Deploy tenant"

Run this workflow as many times as needed whenever an new tenant is onboarded. This workflow:

• Creates a Kubernetes namespace for the tenant
• Applies namespace based resource quota for the tenant
• Applies network policy to isolate namespace from other tenant namespaces
• Uses the CSI Secret Store addon, creates SecretProviderClass and uses in a Pod
• Pull the application from ACR and deploy to tenant namespace

References

Kubernetes multi-tenancy documentation Architect multitenant solutions on Azure
Azure Kubernetes Service (AKS) considerations for multitenancy
Building a SaaS Application on Azure AKS with Github Actions
Microsoft Defender for containers
Enforce resource quotas Secure traffic between pods using network policies in Azure Kubernetes Service (AKS) Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster Use GitHub Actions to connect to Azure

Support

No SLA. Continuous development. Use at your own risk. Please read License.

Contributing

Contributions are welcome.

Copyright

Copyright © 2023.

License

This document is open source software licensed under the Apache License 2.0 license.